---
page_title: "cloudflare_firewall_rule Resource - Cloudflare"
subcategory: ""
description: |-
  Define Firewall rules using filter expressions for more control over
  how traffic is matched to the rule. A filter expression permits
  selecting traffic by multiple criteria allowing greater freedom in
  rule creation.
  Filter expressions needs to be created first before using Firewall
  Rule.
---

# cloudflare_firewall_rule (Resource)

Define Firewall rules using filter expressions for more control over
how traffic is matched to the rule. A filter expression permits
selecting traffic by multiple criteria allowing greater freedom in
rule creation.

Filter expressions needs to be created first before using Firewall
Rule.

~> `cloudflare_firewall_rule` is in a deprecation phase that will last for one
  year (May 1st, 2024). During this time period, this resource is still fully
  supported but you are strongly advised  to move to the `cloudflare_ruleset`
  resource. Full details can be found in the
  [developer documentation](https://developers.cloudflare.com/waf/reference/migration-guides/firewall-rules-to-custom-rules/#relevant-changes-for-terraform-users).

## Example Usage

```terraform
resource "cloudflare_filter" "wordpress" {
  zone_id     = "0da42c8d2132a9ddaf714f9e7c920711"
  description = "Wordpress break-in attempts that are outside of the office"
  expression  = "(http.request.uri.path ~ \".*wp-login.php\" or http.request.uri.path ~ \".*xmlrpc.php\") and ip.src ne 192.0.2.1"
}

resource "cloudflare_firewall_rule" "wordpress" {
  zone_id     = "0da42c8d2132a9ddaf714f9e7c920711"
  description = "Block wordpress break-in attempts"
  filter_id   = cloudflare_filter.wordpress.id
  action      = "block"
}
```
<!-- schema generated by tfplugindocs -->
## Schema

### Required

- `action` (String) The action to apply to a matched request. Available values: `block`, `challenge`, `allow`, `js_challenge`, `managed_challenge`, `log`, `bypass`.
- `filter_id` (String) The identifier of the Filter to use for determining if the Firewall Rule should be triggered.
- `zone_id` (String) The zone identifier to target for the resource. **Modifying this attribute will force creation of a new resource.**

### Optional

- `description` (String) A description of the rule to help identify it.
- `paused` (Boolean) Whether this filter based firewall rule is currently paused.
- `priority` (Number) The priority of the rule to allow control of processing order. A lower number indicates high priority. If not provided, any rules with a priority will be sequenced before those without.
- `products` (Set of String) List of products to bypass for a request when the bypass action is used. Available values: `zoneLockdown`, `uaBlock`, `bic`, `hot`, `securityLevel`, `rateLimit`, `waf`.

### Read-Only

- `id` (String) The ID of this resource.

## Import

Import is supported using the following syntax:

```shell
$ terraform import cloudflare_firewall_rule.example <zone_id>/<firewall_rule_id>
```
